Cyber Incident Victim: Utah Valley Eye Center
Date:
Jun 2018
Location:
United States of America
Summary
A Utah eye clinic experienced a data breach through a compromised third-party patient appointment reminder portal, leading to unauthorized access of patient email addresses. This exposure resulted in fraudulent emails impersonating PayPal payment notifications being sent to affected individuals. While the clinic confirmed no health or financial information was accessed, attackers potentially obtained additional personal details including names, addresses, phone numbers, and dates of birth. The incident underscores persistent third-party security risks in healthcare systems. The organization collaborated with its vendor, DemandForce, to implement enhanced security measures and revised internal protocols governing third-party system usage following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Utah Valley Eye Center in Provo, Utah, experienced a data breach on June 18, 2018, involving unauthorized access to a third-party patient scheduling portal. Hackers compromised the cloud-based system provided by DemandForce, a San Francisco-based vendor responsible for managing appointment reminders and marketing communications. This intrusion led to fraudulent emails being sent to an undisclosed number of patients, falsely notifying them of PayPal payments received. The eye center discovered that attackers had accessed patient email addresses through the portal, with potential exposure of additional personal information including names, addresses, dates of birth, and phone numbers. No medical records, health information, or financial data were accessed during the incident. The clinic delayed public notification until October 31, 2019, when it mailed disclosure letters to approximately 20,000 affected patients.
In response to the breach, Utah Valley Eye Center immediately collaborated with DemandForce to implement enhanced security measures for the compromised system. The clinic sent corrective emails instructing recipients to disregard the fraudulent PayPal notifications and updated internal policies governing third-party vendor relationships. While confirming the email exposure, the center's investigation could not definitively determine whether other personal data had been exfiltrated, though acknowledged the theoretical possibility. This incident exemplified systemic third-party security challenges, occurring alongside high-profile cases like Verizon's 2017 vendor-related breach affecting 14 million customers. Contemporary industry surveys cited in the disclosure indicated 61% of U.S. companies experienced third-party breaches at the time, with 75% of security executives believing such incidents were increasing in frequency. The clinic's 18-month delay between breach occurrence and patient notification highlighted procedural complexities under HIPAA requirements for medical providers handling data compromises through external vendors.